'Digital birth ID' stirs privacy debate
By Dara Kam
The Palm Beach Post
Saturday, August 13, 2005
TALLAHASSEE — Imagine a virtual "thumbprint" that attaches your time and place of birth to your photo and iris scans — one of millions collected, warehoused and monitored by the watchful eye of Big Brother.
The technology is no longer just the stuff of science fiction. It's pretty much old news to tech-savvy security experts. Boring, even.
No government has tried it out on a large scale, but Florida might become the first.
A defense contractor has proposed that the state assign a "digital birth certificate" to each of its 16 million residents, in what some experts say is the best way to protect privacy and others fear is an entrée into a dystopian future.
"It is as Orwellian as you imagine it to be, and should be frightening," said Oscar Gandy, a professor at the University of Pennsylvania's Annenberg School of Communications who specializes in technology and public policy.
The proposal comes in response to a law quietly passed on the last day of this year's legislative session and signed by Gov. Jeb Bush.
The law, which focuses on making family courts more efficient, includes a provision requiring a board of court-related officials to come up with a mechanism to create a "unique personal identifier" to recognize individuals in court cases — a step toward eliminating Social Security numbers as ID numbers.
After Jan. 1, state law mandates that Social Security numbers be kept confidential in court records.
The state is in the process of integrating county, circuit and appeals court systems into a cohesive unit accessible by judges, attorneys and law enforcement officials. Under the current system, court cases are documented in a variety of ways — some by the names of those involved, others by case numbers — making it difficult to retrieve all court records relating to an individual.
The "digital birth certificate" proposal by Northrop Grumman, which hopes to win a contract with the state, is one of several under consideration. The board is scheduled to give its recommendations to Bush, House Speaker Allan Bense and Senate President Tom Lee by Jan. 2.
But the concept makes some privacy experts cringe.
"I think it's very, very bad for security," said Bruce Schneier, a security technologist and consultant. "It brings us one step closer to a police state."
Ken Aull, architect of the digital birth certificate, said his plan will make citizens safer because the biometrically coded record allows people's bodies to prove they are who they say they are.
The cost of implementing such a proposition probably would be prohibitive, Schneier said. Aull did not have an estimate.
But states may have to collect retinal scans or biometric data other than photographs for driver licenses and identification cards to comply with the recently passed federal Real ID Act. Driver license offices then would be outfitted with the equipment necessary for the digital birth certificate.
The Real ID Act requires all states to comply with a national standard for identification cards within five years.
The concept behind the certificate is simple, said Aull, a Northrop Grumman Mission Services distinguished technical fellow.
A government agency, such as the Florida Department of State, would issue a digital birth certificate that binds basic information — name, date and place of birth — and seals those to biometric identifiers such as fingerprints and iris scans.
The state agency would keep an individual's file confidential, making it available only when that person gives permission. The state also could use it to verify the identities of criminals.
Aull will pitch his plan to the technology board Friday.
In the past, more and more information became "attached" to individuals as they aged — addresses, telephone numbers, Social Security numbers, driver licenses and credit information.
Aull wants to separate all such information, which he calls "privileges," from the unique information that identifies a person, such as iris scans. He said his identifier would be so individual-specific that no one else can assume it, resulting in an "unforgeable" private key.
"In a single step, identity theft becomes impossible," Aull wrote in Technology Review Journal. "The only way to prove ownership of the identity is to present 'the body' to prove identity."
He estimated that a third of Florida's population could be enrolled in the system within a year.
Aull said the system includes a protection that electronically dissolves the birth certificate if someone tries to hack into it.
But security guru and Indiana University informatics professor L. Jean Camp said the digital birth certificate poses the same problems spawned by the Social Security number. That number, originally for tracking payroll taxes, gradually became a tool for identification and authentication.
"Because the threat model wasn't understood as its use expanded, we have created a tremendous problem," said Camp, who founded the information technology group at Harvard University's Kennedy School of Government. "As you start to expand these identifiers beyond their intended functions, you create new weaknesses."
Experts who agree with Camp envision the certificates linked with other databases. If such data were sold to vendors in the same way driver license information is now traded, it could result in virtual X-rays of the identities of millions of people.
A digital dossier grounded on an identification number "changes our ability to interact with others" and opens the door for profiling, said Gandy, who serves on the board of the nonprofit Electronic Privacy Information Center.
"My concern is about discrimination, about opportunities that you are provided or denied on the basis of your identification," Gandy said. "We should go back to a set of privacy principles that talk about limitations on the gathering of information, the use of information and the sharing of information."
Aull maintains that the implementation of the digital birth certificate, originally conceived as an anti-terrorism measure, must be accompanied by legislation forbidding the government from using the data for any other purpose — and creating stiff penalties of up to $10 million for anyone who tries to tamper with the certificates.
He also insists that the data should not be linked to other information, such as bank account numbers or Social Security numbers.
A separate proposal by the state Department of Highway Safety and Motor Vehicles would use driver licenses as the unique personal identifiers required by the new law.
Officials for the highway department estimate that such a shift would cost at least $4.4 million to implement and $2.5 million a year to maintain. They said during a presentation that they feared the federal Real ID Act might hinder the use of driver license numbers as unique identifiers, although they did not elaborate.
Still in the discussion phase, the digital birth certificate raises as many questions as it answers — even to privacy experts, who liken the concept to an electronic numerical tattoo.
For example, will the virtual documents be considered a public record? Will adults be forced to submit such intimate information to the state? What would be the penalty for those who refuse? Will it be accompanied by legislation preventing aggregation of the certificates with other personal information?
None of that may matter to most people, the experts acknowledge, as Americans seem more willing to give up their privacy rights since the Sept. 11 attacks.
"We will take... all of your private and intimate details away and put them somewhere where other people can see them," said Melissa Ngo of EPIC. "People become so used to not having privacy that more and more privacy is taken away."
By Dara Kam
The Palm Beach Post
Saturday, August 13, 2005
TALLAHASSEE — Imagine a virtual "thumbprint" that attaches your time and place of birth to your photo and iris scans — one of millions collected, warehoused and monitored by the watchful eye of Big Brother.
The technology is no longer just the stuff of science fiction. It's pretty much old news to tech-savvy security experts. Boring, even.
No government has tried it out on a large scale, but Florida might become the first.
A defense contractor has proposed that the state assign a "digital birth certificate" to each of its 16 million residents, in what some experts say is the best way to protect privacy and others fear is an entrée into a dystopian future.
"It is as Orwellian as you imagine it to be, and should be frightening," said Oscar Gandy, a professor at the University of Pennsylvania's Annenberg School of Communications who specializes in technology and public policy.
The proposal comes in response to a law quietly passed on the last day of this year's legislative session and signed by Gov. Jeb Bush.
The law, which focuses on making family courts more efficient, includes a provision requiring a board of court-related officials to come up with a mechanism to create a "unique personal identifier" to recognize individuals in court cases — a step toward eliminating Social Security numbers as ID numbers.
After Jan. 1, state law mandates that Social Security numbers be kept confidential in court records.
The state is in the process of integrating county, circuit and appeals court systems into a cohesive unit accessible by judges, attorneys and law enforcement officials. Under the current system, court cases are documented in a variety of ways — some by the names of those involved, others by case numbers — making it difficult to retrieve all court records relating to an individual.
The "digital birth certificate" proposal by Northrop Grumman, which hopes to win a contract with the state, is one of several under consideration. The board is scheduled to give its recommendations to Bush, House Speaker Allan Bense and Senate President Tom Lee by Jan. 2.
But the concept makes some privacy experts cringe.
"I think it's very, very bad for security," said Bruce Schneier, a security technologist and consultant. "It brings us one step closer to a police state."
Ken Aull, architect of the digital birth certificate, said his plan will make citizens safer because the biometrically coded record allows people's bodies to prove they are who they say they are.
The cost of implementing such a proposition probably would be prohibitive, Schneier said. Aull did not have an estimate.
But states may have to collect retinal scans or biometric data other than photographs for driver licenses and identification cards to comply with the recently passed federal Real ID Act. Driver license offices then would be outfitted with the equipment necessary for the digital birth certificate.
The Real ID Act requires all states to comply with a national standard for identification cards within five years.
The concept behind the certificate is simple, said Aull, a Northrop Grumman Mission Services distinguished technical fellow.
A government agency, such as the Florida Department of State, would issue a digital birth certificate that binds basic information — name, date and place of birth — and seals those to biometric identifiers such as fingerprints and iris scans.
The state agency would keep an individual's file confidential, making it available only when that person gives permission. The state also could use it to verify the identities of criminals.
Aull will pitch his plan to the technology board Friday.
In the past, more and more information became "attached" to individuals as they aged — addresses, telephone numbers, Social Security numbers, driver licenses and credit information.
Aull wants to separate all such information, which he calls "privileges," from the unique information that identifies a person, such as iris scans. He said his identifier would be so individual-specific that no one else can assume it, resulting in an "unforgeable" private key.
"In a single step, identity theft becomes impossible," Aull wrote in Technology Review Journal. "The only way to prove ownership of the identity is to present 'the body' to prove identity."
He estimated that a third of Florida's population could be enrolled in the system within a year.
Aull said the system includes a protection that electronically dissolves the birth certificate if someone tries to hack into it.
But security guru and Indiana University informatics professor L. Jean Camp said the digital birth certificate poses the same problems spawned by the Social Security number. That number, originally for tracking payroll taxes, gradually became a tool for identification and authentication.
"Because the threat model wasn't understood as its use expanded, we have created a tremendous problem," said Camp, who founded the information technology group at Harvard University's Kennedy School of Government. "As you start to expand these identifiers beyond their intended functions, you create new weaknesses."
Experts who agree with Camp envision the certificates linked with other databases. If such data were sold to vendors in the same way driver license information is now traded, it could result in virtual X-rays of the identities of millions of people.
A digital dossier grounded on an identification number "changes our ability to interact with others" and opens the door for profiling, said Gandy, who serves on the board of the nonprofit Electronic Privacy Information Center.
"My concern is about discrimination, about opportunities that you are provided or denied on the basis of your identification," Gandy said. "We should go back to a set of privacy principles that talk about limitations on the gathering of information, the use of information and the sharing of information."
Aull maintains that the implementation of the digital birth certificate, originally conceived as an anti-terrorism measure, must be accompanied by legislation forbidding the government from using the data for any other purpose — and creating stiff penalties of up to $10 million for anyone who tries to tamper with the certificates.
He also insists that the data should not be linked to other information, such as bank account numbers or Social Security numbers.
A separate proposal by the state Department of Highway Safety and Motor Vehicles would use driver licenses as the unique personal identifiers required by the new law.
Officials for the highway department estimate that such a shift would cost at least $4.4 million to implement and $2.5 million a year to maintain. They said during a presentation that they feared the federal Real ID Act might hinder the use of driver license numbers as unique identifiers, although they did not elaborate.
Still in the discussion phase, the digital birth certificate raises as many questions as it answers — even to privacy experts, who liken the concept to an electronic numerical tattoo.
For example, will the virtual documents be considered a public record? Will adults be forced to submit such intimate information to the state? What would be the penalty for those who refuse? Will it be accompanied by legislation preventing aggregation of the certificates with other personal information?
None of that may matter to most people, the experts acknowledge, as Americans seem more willing to give up their privacy rights since the Sept. 11 attacks.
"We will take... all of your private and intimate details away and put them somewhere where other people can see them," said Melissa Ngo of EPIC. "People become so used to not having privacy that more and more privacy is taken away."